Closed mparada closed 3 years ago
Keycloak does some auto configuration on realm import while keycloak-config-cli does this not.
By adding
"bearerOnly": false,
"serviceAccountsEnabled": true,
"authorizationServicesEnabled": true,
"publicClient": false,
to the client realm-management, the import will be succeeded.
I would propose to use an export of the by keycloak imported realm as base.
By default if you add authorizationSettings
to an client, the client needs to be confidential and needs a service Account (a real user).
Both are in configuration missing.
I added some pre validation checks: https://github.com/adorsys/keycloak-config-cli/pull/233
Hello @jkroepke,
I do believe that changing "serviceAccountsEnabled"
to true
can lead to security issues as now it is possible to sign in to the realm using realm-management client's credentials and do any administrative tasks.
During the manual configuration (via Web UI) it is possible to add the permission for token exchange without the changing authorization type for the realm management.
During the manual configuration (via Web UI) it is possible to add the permission for token exchange without the changing authorization type for the realm management.
You can provide a step-by-step manual to archive this?
Let me share what I have found, I hope it helps to reproduce it. I used the guide from the Keycloak official manual (https://www.keycloak.org/docs/latest/securing_apps/) and one unofficial from here https://keycloak.ch/keycloak-tutorials/tutorial-token-exchange/
The main difference between these two is that the official guide does it via Web UI, and the second one via admin-cli (read as via Keycloak Admin API
).
So, to reproduce thru the Web UI:
Permissions
tab of the Identity provider and toggle the Permissions Enabled
switch to the on
positiontoken-exchange
link in the newly appeared permissions tabletoken-exchange
as a scope, and this permission would be under the Clients > realm-management > Authorization > Permissions
pathrealm-management
client - it still has Authorization Type: bearer-only
I setup a keycloak through docker
I create an identity provider (type: oidc), but I do not have a Permissions
yet.
Sorry, I should have mentioned that you need to run the Keycloak with the token exchange feature enabled:
docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:16.1.0 -Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled
I will looked into it. I never run keycloak-config-cli agaist a feature toggled keycloak.
Hi @ic2hrmk
I can confirm, if I follow your steps, authorizationSettings
are defined while authorization is bearer-only.
But this is not possible to reproduce this through the import API of Keycloak. For example if you do a partial realm export with clients, delete the realm inside Keycloak and create a new realm based on the export json file, the realm-management
client has access type confidential
and a service account. If I manually set the access type to bearer-only
after importing the realm, all authorizationSettings
are gone.
There is a huge inconstancy inside Keycloak. It's looks like not all REST-APIs provided by Keycloak are supporting the features behind keycloak.profile.feature.admin_fine_grained_authz
.
I will remove the pre validation in keycloak-config-cli.
Well, such realms provided by the author still results into a HTTP 500, but it's up to Keycloak to fix that.
For reference, here is the stacktrace from Keycloak:
Hello @jkroepke,
Thank you so much for a quick response and for validating this case!
I end up letting the realm-management
client be with with Access Type: confidential
, but I manually disabled the service account for this client, something like:
{
"users": [
{
"username": "service-account-realm-management",
"enabled": false,
...
}
]
}
Not sure if it's the best approach, but it prevents this service account from obtaining the authorization token in the realm.
I was about to disable the Service Accounts Enabled
option in the Realm Management client itself, but it seems that it's not possible: https://issues.redhat.com/browse/KEYCLOAK-3764
Regarding pre-validation, is it possible to disable it with some kind of flag? Like --no-authorization-pre-check
.
Not sure if it's the best approach
The best approach is to report this here, since issues.redhat.com is obsolete.
Regarding pre-validation, is it possible to disable it with some kind of flag?
I will remove the pre-validation from keycloak-config-cli but Keycloak will validate it and returns a HTTP 500 in such cases.
Edit: A toggle is a good idea.
Summary: When using config-cli to create a realm which has modifications to the default authorization settings in the realm-management client there is an Internal Server Error. Using the same json file through the Admin Console works as expected.
Environment Keycloak version: 11.0.2 (running on Docker 19.03.11 with the given docker-compose.yml, docker-compose version 1.25.4) config-cli version: v2.5.0
Here is a simplified version of the import file.
simple-realm_update-realm-management-client.json
:Importing this json file to Keycloak using the Admin Console when creating the realm is successful. However, when trying to import it using the config-cli we get the following error.
command for config-cli:
output:
And the Keycloak server logs:
Note: Removing the authorizationSettings part (lines 64-205) results in a file that can be imported with config-cli without any problems.